Implementing a BCMS – LRQA Guidance

"The most serious failure of leadership is the failure to foresee."
Robert Greenleaf.  Founder of the modern servant leadership movement.

Why is BS 25999 good for you?

Organisations exist to either make a profit or in the case of the public and charity sectors deliver an efficient service to their clients. How is this aim affected if something interrupts an organisation’s process flows, stopping them from producing the product or providing the service? Will they survive?

A business continuity management (BCM) system will help organisations put structures in place to identify the potential threats that may exist, the impact of incidents and how they can be guarded against. It then provides a framework for managing the organisation through the process of preparing strategies and methods to reduce the impact of any incident and building the capability to effectively respond should one occur.

Many companies find themselves in the position of facing financial penalties, court proceedings or even criminal prosecution if they fail to fulfil contractual obligations. A framework to help a business increase its resilience should be welcomed. Having a system in place that has then been externally certified by an independent third party can help protect your brand; support claims made in tenders and sales proposals; enhance your reputation with your insurers and regulators and provide a greater level of assurance to customers and stakeholders that you can deliver for them.

This article provides some practical guidance and advice for those tasked with implementing a business continuity management system with a view to gaining certification to BS 25999-2.

This article is written by Margo Logie, Lead Assessor. Margo has worked for LRQA for eleven years, assessing a wide variety of companies against this BCM and quality standards.

Next | Last

What is BS 25999 all about?

Part 1 of BS 25999 was issued in 2006 and is a code of practice. This is a good place to start to get an understanding of what BCM is all about, the rationale of the Standard and the areas that need to be included within the management system. Part 2 was issued in 2007 and this is the specification against which certification can be gained. Copies of the standard can be purchased from LRQAstandards.com (you will be sent to an external website).

Like most of the international management system standards (ISO) it is based on the Plan, Do, Check, Act cycle with four principle steps:

• Understanding the organisation
• Determining a BCM strategy
• Developing and implementing a BCM response
• Exercising, maintaining and reviewing.

There are other similarities to ISO standards such as top management’s commitment needed in setting the policy and objectives, provision of resources and allocation of responsibilities. Without the understanding and support of senior management, its implementation will ultimately fail.

Other common requirements include maintaining documentation, procedures for corrective and preventive action, determining competency of personnel operating key roles within the business continuity management system, and provision of training.

If your organisation has certification against an ISO management system standard then using the existing processes and procedures to manage, for example, documentation and records should be easy to achieve. If not, then there will be more work involved in defining and setting up the controls needed, however the principles behind the requirements are straightforward. Keep things as simple as possible and if you have access to electronic systems, take advantage of these where appropriate as they often have built in controls.

My colleague David Lawson has provided some guidance relating to implementing a Quality Management System which may be helpful to refer to if your organisation is approaching structuring a management system for the first time. Read our 9001 implementation guidance

Support is also available through LRQA Training. They can help provide a greater understanding of how a business continuity management system could help meet your business needs. As well as courses open to the public they can provide tailored training to meet organisational requirements.
Read about our training services

First | Previous | Next | Last

Understanding the Organisation

“We can have facts without thinking but we cannot have thinking without facts”.
John Dewey. US educator, pragmatist philosopher & psychologist

This is an important first step in the Business Continuity Management (BCM) cycle. It is aimed at ensuring that the organisation understands what its key products and services are and the critical activities that support their provision. This will form the scope of the BCM.

It is going back to the very basics and questioning top management so that you are able to clearly define the fundamentals of the business: The key products and services.

For example:

• which product/service lines are most profitable?
• Which customers do the company make the most from?
• Which products have a long term future and which have a limited shelf life?
>
• Which markets provide the most opportunities and what products/services are they buying?
• Which locations/suppliers/partners are the most important for the company and why?

This basic understanding is then built on by undertaking a Business Impact Analysis to determine the Maximum Tolerable Period of Disruption and then the Recovery Time Objective. This analysis and questioning is to help gain an understanding of the critical activities, the interdependence of activities and any reliance the organisation has on others or that others have on it.

A lot of meetings, interviews and maybe surveys will be involved throughout the implementation of the system, which is why the commitment of top management will be important. These may be time consuming but having the involvement of others in the organisation at these early stages will make the later work of embedding BCM that much easier.

First | Previous | Next | Last

Business Impact Analysis (BIA)

Armed with a basic understanding of the products and services that are important to the business an impact analysis must be undertaken. This will determine the impact of a disruption to the activities that support key products or services. It is important to document this as it is the foundation work for the BCM and it could well be used to justify investment needed for risk reduction and process recovery.

There are two main areas in terms of impact to consider:
1) Financial loss, eg, sales, revenue, increased costs, penalty charges, fines etc.
2) Impact on brand, image and reputation, eg, from customer dissatisfaction, supplier problems, staff morale, media attention etc.

The types of questions you need to be answering are:

• Is the activity reliant on key members of staff, skills or expertise?
• Is there specialist equipment involved or unique requirements such as building security levels, clean rooms, temperature controls, etc.
• What IT systems are needed?
• What are the key data, documentation and record keeping requirements?
• Are there key contractors, service providers, suppliers involved in the activity?
• Are there legal or regulatory requirements to be met?
• Are there any special communication requirements to be aware of?

The BIA is also used to determine the time at which recovery of the process is invoked, following a major incident – the recovery time objective. So it must:

1) Identify critical times within the process cycle. That is the time the impact would be at its worst, for example, for a warehouse the lead up to Christmas, for a beach front hotel the summer, for an accountant the end of January when tax returns are due etc.
2) Identify the time it will take for the interruption to have a critical impact on the business - Maximum Tolerable Period of Disruption. Assume the worst case scenario here (total failure at the most critical time). n those circumstances how long can the business do without a product, service or sub process?

First | Previous | Next | Last

Maximum Tolerable Period of Disruption (MTPoD) and Recovery Time Objective (RTO)

The MTPoD needs to be determined for each critical activity supporting delivery of the product or service. This is the longest time an organisation can afford not to produce a product or deliver a service. This could be for a number of reasons which may include bad press, cash flow problems, or contract penalties for failure to deliver would be too great. Whatever the reasons, you just could not afford to be out of action for any longer.

The timeframe will vary considerably depending on the business - for a call centre taking 999 calls it is likely to be only a minute at the most, where as if you are making a super tanker and everything stops for a couple of weeks, that might not cause a problem at all.

As part of the process for determining the MTPoD you also need to identify the minimum level at which the activity needs to resume and the length of time in which normal levels of operation need to resume.

From the MTPoD, a Recovery Time Objective or RTO can be set for each activity. This is the time in which the organisation will get the activity back up and running. This of course needs to be less than the MTPoD. So if you decide two weeks is the longest time you can afford to lose production of your super tanker, your RTO is likely to be around 12 or 13 days from the start of the disruption. The 999 call centre is likely to have a RTO defined in seconds.

Another very simple example might be that the BIA has identified that your business would be affected if all six members of staff could not meet in a real office for a week, but some of you could meet in an internet café in the interim. The RTO would be less than a week (recover to Internet café), with a resumption level of say 50%, as you need a real office to all meet.
Therefore the MTPoD = 7 days. RTO = 3 days.
Min level of resumption = 50%. Resources needed = 3 members of staff.

First | Previous | Next | Last

Risk Assessment

A Risk Assessment is the next step after the Business Impact Analysis. It is used to identify and document the internal and external threats that can cause loss or disruption. Both the probability and impact of each risk is assessed. If the organisation has a number of sites, considering the risks relating to each one would be necessary.

Beware of jumping straight into the task by starting to think up all kinds of catastrophic events. They should be categorised by their effect, eg, no access to the building, loss of staff, loss of utilities etc. rather than by specific events that cause a business interruption, eg, fire, flood etc.

Once you have assessed the probability and impact of the risk, consider developing Risk Reduction Plans to ensure all identified risks can be reduced to an “acceptable” level. Some of these plans could require major investment which is why a clear understanding of the business and a robust Business Impact Analysis it so vital. It means that when major investment is involved, they can help influence the business case for the resource needed to implement the risk reduction plan.

First | Previous | Next | Last

Determining a BCM Strategy

The strategy is best understood in terms of ensuring there is a structure, arrangements and resources in place that will enable the recovery time objectives to be met. And so ensuring that risk reduction plans are produced and acted on to allow for the next two stages in the process to take place. It is really the demonstration of top management’s commitment to make things happen. It needs to support the organisation’s objectives, as well as any contractual obligations or statutory duties, while also being cost effective.

For example, if your organisation uses specialised manufacturing and testing equipment the types of continuity strategies that might be employed are:

1) Move back-up equipment to another location.
2) Locate equipment that is available and could be used at another of your organisation’s locations.
3) Negotiate with your suppliers the possibility to purchase extra equipment at short notice.

First | Previous | Next | Last

Developing and Implementing a BCM Response

"A good plan, violently executed now, is better than a perfect plan next week".
George S. Patton. US general

You hope it will never happen. But if it does, what do you do? Well, you pull out your incident management and recovery plans! These are the plans that most businesses have produced, but in a majority of cases they are purely IT based. A robust recovery plan covers far more than that.

The first thing an incident management plan should do is clearly define is who is responsible for what, including who is responsible for triggering implementation of the plan. Clear lines of communication must be defined and key tasks that need to be completed included. However as the exact nature of the incident will not be known when drawing up the plan there needs to be flexibility, it needs to be feasible and easy to read and understood in the heat of the moment.

Include task and action checklists. Consider areas such as:

• contacts and meeting locations
• ensuring the welfare of individuals
• strategic and operational options
• how to prevent further loss/ unavailability
• what resources are needed and who will organise them
• your media response
• your contact with customers and stakeholders
• the process for standing down
• record keeping (recording key information about the incident, actions taken and decisions made, could be invaluable if any legal action is subsequently taken by or against the organisation.

You can never cover every scenario but by basing plans on the worse case scenario it is much easier to implement a trimmed down version than try to beef up a thin plan.

Also consider the need for a resumption plan. This is complementary to the recovery plan and relates to how you return to “business as usual” following implementation of the recovery plan. It may not be able to go into a lot of detail but setting the strategy is important. Do you want to move back into old premises? Could you take the opportunity to move? If rebuilding, do you have to find another site in the medium term, as the initial contingency site is only a very short term option? Do you want to just get back to the original site as soon as possible? Although the most straightforward option even that will take as much planning to achieve as it took to get to the contingency site.

First | Previous | Next | Last

Exercising, Maintaining and Reviewing

"In the business world, the rearview mirror is always clearer than the windshield."
Warren Buffett. Financier & investment businessman

Once the strategy and plans have been drawn up, an exercise programme is needed to see that they would work! Typically the types of tests tend to be; desk checking; walkthroughs; simulation exercises; activity/department testing; full relocation tests or the best test of all – a real incidents. The more complex - and therefore usually the more costly - the test the more assurance it is likely to provide.

The aim of testing is to examine assumptions and validate the plans to see that they can be relied on and the recovery time objectives could be met. For example, if infrastructure and technology systems are reliant on a remote server being rebuilt within a few hours, can that be done? Or to see that you really could hire a bus at 4pm one day and get 50 folk to the contingency site 20 miles away for 8am the next day, if your plan says that is what you would do.

Practice improves team work. It facilitates the process of actions becoming automatic and it builds confidence in responses.

A maintenance programme is also required, for the system will need to be updated and changed as the organisation develops. For example, if new or changed business processes, technology or products are introduced, staff changes are made or glitches are found when testing.

Periodic reviews are also needed. Incorporating the testing, audit and self assessment activities into one overall plan, covering a defined period of time may be helpful. Top management need to be involved in reviewing the outcome of these activities, as well as the system as a whole. For example: to re-assess if the strategies are effective and the business impact timescales remain appropriate

Support is available through LRQA Training.. They can help provide a greater understand of how to implement, maintain and improve a business continuity management system. As well as courses open to the public they can tailor training to meet your organisation’s requirements. Read about our training services

First | Previous | Next | Last

Certification

Not all certification bodies are the same. When selecting the body you want to work with ensure they are accredited by a national body. In the UK, this is the United Kingdom Accreditation Service (UKAS). For more visit the UKAS website at: www.ukas.com

Certification is an external validation of your business continuity management system, to ensure that it meets the requirements of BS 25999-2:2007.

Your choice of certification body says a lot to your customers about how seriously you take management systems. You need to choose a certification body that can help you develop your management system to realise its potential. With LRQA you will be allocated an account manager who will discuss the best way to approach certification for you.

All LRQA assessors go through a rigorous selection and training programme followed by continual professional development and are all registered Lead Auditors with IRCA, (International Register of Certificated Auditors) the UK’s premier auditor registration body, providing you with the best the certification industry has to offer.

This gives you the assurance that by choosing LRQA as your certification body you will get a thorough but fair assessment supporting the ongoing development of your management system. In addition, as the LRQA brand is recognised globally, it will provide purchasers – wherever in the world they are based - with the confidence that your management system meets the requirements of BS 25999.

Traditionally certification is gained following a two stage assessment process conducted after the management system has been implemented for a period of time. We also offer another method called “PRiSM” - LRQA’s Progressive Route into Systems Management - that allows you to build an additional certificated management system onto an existing system, at your own pace using your available resource. Read about BS 25999 PRiSM.

Since 1985, we have been designing our services with you in mind. This means we take your individual needs and requirements into account when shaping our services. Our complementary support package has been developed to help you make the most of your management systems and includes:

• Free of charge customer events
• Freephone technical helpdesk
• Online technical helpdesk through our on-line customer support area
• Business advisory line: 0800 783 2179 for new business enquiries
• Account management assistance
• For information on gaining BS 25999 certification with LRQA, read BS 25999 certification

LRQA also provide a number of engaging and informative training courses. Visit the training section to learn more, read about our training services

First | Previous